openshift
diff --git a/‎_topic_maps/_topic_map_rosa_hcp.yml
Lines changed: 81 additions & 0 deletions b/‎_topic_maps/_topic_map_rosa_hcp.yml
Lines changed: 81 additions & 0 deletions
diff --git a/‎cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc
Lines changed: 6 additions & 10 deletions b/‎cloud_experts_tutorials/cloud-experts-aws-load-balancer-operator.adoc
Lines changed: 6 additions & 10 deletions
diff --git a/‎microshift_configuring/microshift-nw-ipv6-config.adoc
Lines changed: 1 addition & 1 deletion b/‎microshift_configuring/microshift-nw-ipv6-config.adoc
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/albo-installation.adoc
Lines changed: 41 additions & 37 deletions b/‎modules/albo-installation.adoc
Lines changed: 41 additions & 37 deletions
@@ -1014,6 +1014,87 @@ Topics:
 #  - Name: Advanced OADP features and functionalities
 #    File: oadp-advanced-topics
 ---
+Name: Networking
+Dir: networking
+Distros: openshift-rosa-hcp
+Topics:
+- Name: About networking
+  File: about-managed-networking
+- Name: Networking Operators
+  Dir: networking_operators
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: AWS Load Balancer Operator
+    File: aws-load-balancer-operator
+  - Name: DNS Operator in Red Hat OpenShift Service on AWS
+    File: dns-operator
+  - Name: Ingress Operator in Red Hat OpenShift Service on AWS
+    File: ingress-operator
+  - Name: Ingress Node Firewall Operator in Red Hat OpenShift Service on AWS
+    File: ingress-node-firewall-operator
+- Name: Network verification
+  File: network-verification
+- Name: Configuring a cluster-wide proxy during installation
+  File: configuring-cluster-wide-proxy
+- Name: CIDR range definitions
+  File: cidr-range-definitions
+- Name: Network security
+  Dir: network_security
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: Understanding network policy APIs
+    File: network-policy-apis
+  - Name: Cluster-scoped network policy
+    Dir: AdminNetworkPolicy
+    Distros: openshift-rosa-hcp
+    Topics:
+    - Name: About AdminNetworkPolicy
+      File: ovn-k-anp
+    - Name: About BaselineAdminNetworkPolicy
+      File: ovn-k-banp
+    - Name: Best practices cluster-wide network policy
+      File: ovn-k-anp-recommended-practices
+  - Name: Namespace-scoped network policy (NetworkPolicy)
+    Dir: network_policy
+    Distros: openshift-rosa-hcp
+    Topics:
+    - Name: About network policy
+      File: about-network-policy
+    - Name: Creating a network policy
+      File: creating-network-policy
+    - Name: Viewing a network policy
+      File: viewing-network-policy
+    - Name: Editing a network policy
+      File: editing-network-policy
+    - Name: Deleting a network policy
+      File: deleting-network-policy
+    - Name: Defining a default network policy for projects
+      File: default-network-policy
+    - Name: Configuring multitenant isolation with network policy
+      File: multitenant-network-policy
+  # Included for OSDOCS-13465
+  - Name: Audit logging for network security
+    File: logging-network-security
+    # OSDOCS-11830: Omitting egress firewall, ipsec encryption, zero egress
+- Name: Configuring the primary cluster network
+  Dir: ovn_kubernetes_network_provider
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: About the OVN-Kubernetes network plugin
+    File: about-ovn-kubernetes
+# TODO OSDOCS-11830: The only instructional content in this section claims to be unsupported for HCP
+#   - Name: Configuring an egress IP address
+#     File: configuring-egress-ips-ovn
+# OpenShift SDN not supported for HCP
+- Name: Configuring Routes
+  Dir: routes
+  Distros: openshift-rosa-hcp
+  Topics:
+  - Name: Route configuration
+    File: route-configuration
+  - Name: Secured routes
+    File: secured-routes
+---
 Name: Nodes
 Dir: nodes
 Distros: openshift-rosa-hcp
 
@@ -20,18 +20,10 @@ toc::[]
 
 include::snippets/mobb-support-statement.adoc[leveloffset=+1]
 
-ifndef::openshift-rosa-hcp[]
 [TIP]
 ====
 Load Balancers created by the AWS Load Balancer Operator cannot be used for xref:../networking/routes/route-configuration.adoc#route-configuration[OpenShift Routes], and should only be used for individual services or ingress resources that do not need the full layer 7 capabilities of an OpenShift Route.
 ====
-endif::openshift-rosa-hcp[]
-ifdef::openshift-rosa-hcp[]
-[TIP]
-====
-Load Balancers created by the AWS Load Balancer Operator cannot be used for link:https://docs.openshift.com/rosa/networking/routes/route-configuration.html[OpenShift Routes], and should only be used for individual services or ingress resources that do not need the full layer 7 capabilities of an OpenShift Route.
-====
-endif::openshift-rosa-hcp[]
 
 The link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/[AWS Load Balancer Controller] manages AWS Elastic Load Balancers for a {product-title} (ROSA) cluster. The controller provisions link:https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html[AWS Application Load Balancers (ALB)] when you create Kubernetes Ingress resources and link:https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html[AWS Network Load Balancers (NLB)] when implementing Kubernetes Service resources with a type of LoadBalancer.
 
@@ -54,11 +46,12 @@ AWS ALBs require a multi-AZ cluster, as well as three public subnets split acros
 
 ifndef::openshift-rosa-hcp[]
 * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[A multi-AZ ROSA classic cluster]
+* BYO VPC cluster
+//Moved inside ifndef since this is always true for HCP clusters
 endif::openshift-rosa-hcp[]
 ifdef::openshift-rosa-hcp[]
-* link:https://docs.openshift.com/rosa-hcp/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.html[A multi-AZ ROSA cluster]
+* xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-sts-creating-a-cluster-quickly[A multi-AZ {hcp-title} cluster]
 endif::openshift-rosa-hcp[]
-* BYO VPC cluster
 * AWS CLI
 * OC CLI
 
@@ -123,6 +116,7 @@ $ aws ec2 create-tags \
      --tags Key=kubernetes.io/role/internal-elb,Value='' \
      --region ${REGION}
 ----
+//subnets are tagged already after rosa create network
 
 [id="installation_{context}"]
 == Installation
@@ -355,6 +349,8 @@ $ curl "http://${INGRESS}"
 ----
 Hello OpenShift!
 ----
+//TODO OSDOCS-11830: Couldn't get either of these validation checks to work, Andy R indicated that the related error seems to be that user is not authorized to do operation elasticloadbalancing:AddTags because "no identity based policy allows elasticloadbalancing:AddTags" however the linked policy does seem to allow that as far as I can tell: https://raw.githubusercontent.com/rh-mobb/documentation/main/content/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json
+// That said, I'm not sure we should be getting our example policy from the rh-mobb repo
 
 . Deploy an AWS NLB for your hello world application:
 +
 
@@ -19,7 +19,7 @@ include::modules/microshift-nw-ipv6-dual-stack-migrating-config.adoc[leveloffset
 include::modules/microshift-nw-ipv6-dual-stack-reset-ipfam.adoc[leveloffset=+1]
 
 //OCP module, edit with conditionals and care
-include::modules/nw-ovn-kuberentes-limitations.adoc[leveloffset=+1]
+include::modules/nw-ovn-kubernetes-limitations.adoc[leveloffset=+1]
 
 [id="additional-resources_microshift-ipv6-config_{context}"]
 [role="_additional-resources"]
 
@@ -4,7 +4,7 @@
 [id="aws-load-balancer-operator-installation_{context}"]
 = Installing the AWS Load Balancer Operator
 
-After setting up your environment with your cluster, you can install the AWS Load Balancer Operator using the CLI.
+You can install the AWS Load Balancer Operator using the OpenShift CLI (`oc`). Use the same terminal session you used in _Setting up your environment to install the AWS Load Balancer Operator_ to make use of the environment variables.
 
 .Procedure
 . Create a new project within your cluster for the AWS Load Balancer Operator:
@@ -14,29 +14,24 @@ After setting up your environment with your cluster, you can install the AWS Loa
 $ oc new-project aws-load-balancer-operator
 ----
 
-. Create an AWS IAM policy for the AWS Load Balancer Controller:
+// TODO OSDOCS-11830 This policy looks like we can add tags but the deployment still complains of having no identity based policy that allows it - found the upstream 2.12.0 version of this IAM Policy and it does contain a number of extra things including ModifyIppools and some wildly different conditions on AddTags
+. Create an AWS IAM policy for the AWS Load Balancer Controller.
+.. Download the appropriate IAM policy:
 +
-[NOTE]
-====
-You can find the AWS IAM policy from link:https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json[the upstream AWS Load Balancer Controller policy]. This policy includes all of the permissions you needed by the Operator to function.
-====
+----
+wget -O "${SCRATCH}/load-balancer-operator-policy.json" \
+https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.12.0/docs/install/iam_policy.json
+----
+.. Create the policy and set up an environment variable for the policy ARN by running the following command:
 +
 [source,terminal]
 ----
-$ POLICY_ARN=$(aws iam list-policies --query \
-      "Policies[?PolicyName=='aws-load-balancer-operator-policy'].{ARN:Arn}" \
-      --output text)
-$ if [[ -z "${POLICY_ARN}" ]]; then
-     wget -O "${SCRATCH}/load-balancer-operator-policy.json" \
-        https://raw.githubusercontent.com/rh-mobb/documentation/main/content/rosa/aws-load-balancer-operator/load-balancer-operator-policy.json
-     POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn \
+POLICY_ARN=$(aws --region "$REGION" --query Policy.Arn \
      --output text iam create-policy \
      --policy-name aws-load-balancer-operator-policy \
      --policy-document "file://${SCRATCH}/load-balancer-operator-policy.json")
-fi
-$ echo $POLICY_ARN
 ----
-+
+
 . Create an AWS IAM trust policy for AWS Load Balancer Operator:
 +
 [source,terminal]
@@ -53,28 +48,32 @@ $ cat <<EOF > "${SCRATCH}/trust-policy.json"
    }
  },
  "Principal": {
-   "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/${OIDC_ENDPOINT}"
+   "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
  },
  "Action": "sts:AssumeRoleWithWebIdentity"
  }
  ]
 }
 EOF
 ----
-+
+
 . Create an AWS IAM role for the AWS Load Balancer Operator:
 +
 [source,terminal]
 ----
-$ ROLE_ARN=$(aws iam create-role --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \
+$ ROLE_ARN=$(aws iam create-role --role-name "${CLUSTER_NAME}-alb-operator" \
    --assume-role-policy-document "file://${SCRATCH}/trust-policy.json" \
    --query Role.Arn --output text)
+----
+----
 $ echo $ROLE_ARN
-
-$ aws iam attach-role-policy --role-name "${ROSA_CLUSTER_NAME}-alb-operator" \
+----
+----
+$ aws iam attach-role-policy --role-name "${CLUSTER_NAME}-alb-operator" \
      --policy-arn $POLICY_ARN
 ----
-+
+//aws iam put-role-policy --role-name ${CLUSTER_NAME}-albo-operator --policy-name perms-policy-albo-operator --policy-document file://albo-operator-permission-policy.json
+
 . Create a secret for the AWS Load Balancer Operator to assume our newly created AWS IAM role:
 +
 [source,terminal]
@@ -92,7 +91,7 @@ stringData:
     web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
 EOF
 ----
-+
+
 . Install the AWS Load Balancer Operator:
 +
 [source,terminal]
@@ -117,11 +116,15 @@ spec:
   name: aws-load-balancer-operator
   source: redhat-operators
   sourceNamespace: openshift-marketplace
-  startingCSV: aws-load-balancer-operator.v1.0.0
+  startingCSV: aws-load-balancer-operator.v1.0.1
+  config:
+    env:
+    - name: ROLEARN
+      value: "${ROLE_ARN}"
 EOF
 ----
-+
-. Deploy an instance of the AWS Load Balancer Controller using the Operator:
+
+. Deploy an instance of the AWS Load Balancer Controller using the Operator.
 +
 [NOTE]
 ====
@@ -134,22 +137,23 @@ $ cat << EOF | oc apply -f -
 apiVersion: networking.olm.openshift.io/v1
 kind: AWSLoadBalancerController
 metadata:
-  name: cluster
+ name: cluster
 spec:
-  credentials:
-    name: aws-load-balancer-operator
+ credentialsRequestConfig:
+   stsIAMRoleARN: ${ROLE_ARN}
 EOF
 ----
-+
+
 . Check the that the Operator and controller pods are both running:
 +
 [source,terminal]
 ----
 $ oc -n aws-load-balancer-operator get pods
 ----
 +
-You should see the following, if not wait a moment and retry:
+If you do not see output similar to the following, wait a few moments and retry.
 +
+.Example output
 [source,terminal]
 ----
 NAME                                                             READY   STATUS    RESTARTS   AGE
@@ -166,14 +170,14 @@ aws-load-balancer-operator-controller-manager-577d9ffcb9-w6zqn   2/2     Running
 ----
 $ oc new-project hello-world
 ----
-+
+
 . Deploy a hello world application:
 +
 [source,terminal]
 ----
 $ oc new-app -n hello-world --image=docker.io/openshift/hello-openshift
 ----
-+
+
 . Configure a NodePort service for the AWS ALB to connect to:
 +
 [source,terminal]
@@ -194,7 +198,7 @@ spec:
     deployment: hello-openshift
 EOF
 ----
-+
+
 . Deploy an AWS ALB using the AWS Load Balancer Operator:
 +
 [source,terminal]
@@ -221,8 +225,8 @@ spec:
                   number: 80
 EOF
 ----
-+
-. Curl the AWS ALB Ingress endpoint to verify the hello world application is accessible:
+
+. Use Curl to access the AWS ALB Ingress endpoint to verify the hello world application is accessible:
 +
 [NOTE]
 ====
@@ -266,7 +270,7 @@ spec:
     deployment: hello-openshift
 EOF
 ----
-+
+
 . Test the AWS NLB endpoint:
 +
 [NOTE]